Tomasz Mloduchowskihttp://mloduchowski.com/2017-05-14T18:34:00+01:00WCry 2.0 Attack - Knowns and Unknowns2017-05-14T18:34:00+01:002017-05-14T18:34:00+01:00Tomasz Mloduchowskitag:mloduchowski.com,2017-05-14:/posts/2017-05/wcry-20-attack-knowns-and-unknowns/<p>UK infosec community has been plunged into a surprising weekend. Around 3pm BST on Friday, phones started ringing with information on the ransomware attack on the National Health Service. </p>
<p>Within minutes, we became aware of the scenario that many have warned the NHS about, and that would undoubtedly claim lives …</p><p>UK infosec community has been plunged into a surprising weekend. Around 3pm BST on Friday, phones started ringing with information on the ransomware attack on the National Health Service. </p>
<p>Within minutes, we became aware of the scenario that many have warned the NHS about, and that would undoubtedly claim lives and cause untold damages. This writeup covers what we know already, and what we can infer, predict and recommend about the future. </p>
<h1>What we know:</h1>
<ol>
<li>
<p><strong>Target:</strong> WCry 2.0 does not appear to be specifically aimed at the NHS. At the time of this writing, 74 countries have been affected, including Spain's leading telecom Telefonica, Russian telecom Megafon, consultancies like KPMG and banks such as BBVA and Santander. The malware was designed to coerce it's victims into paying a ransom to regain access to their computers and files - and appears to take the opportunistic approach in terms of the direction and spread. </p>
</li>
<li>
<p><strong>Design:</strong> WCry 2.0 incorporates components of code derived from the vulnerability discovered by the US National Security Agency (NSA), and subsequently leaked on the internet. This highlights the concerns around fabrication and proliferation of "cyberweapons" - as they can be easily modified to serve criminal purposes. </p>
</li>
<li>
<p><strong>Vulnerability:</strong> The worm exploits unpatched critical vulnerability MS17-010, affecting SMB (network sharing) protocol within all Windows versions. Microsoft released a patch for this vulnerability on the 14th of March, 2017 - which have not been installed on the affected machines. </p>
</li>
<li>
<p><strong>Behaviour:</strong> Consistent with this class of malware, WCry 2.0 identifies and encrypts user files across the computer, and demands payment in order to recover the files. As with many similar attacks, it might be possible to recover files without the payment and cooperation of the malware authors. Since critical infrastructure has been targeted, one can assume that a substantial resource is now dedicated to finding a solution. </p>
</li>
<li>
<p><strong>Kill Switch:</strong> The malware includes a kill switch - a method for the creators to disable its activity, in the event that the attack spirals out of control, or has already run its course. Independent researchers were able to identify the switch, and deploy it - while it was too late to prevent damage in Europe, it has likely mitigated worm's effectiveness in the United States. Since then, additional strains of this malways have been observed – the criminal community has removed the kill-switch, allowing modified attacks to continue unimpeded. </p>
</li>
</ol>
<h1>What we don't know:</h1>
<ol>
<li><strong>NHS Damage:</strong> It appears that the worm targets end-user computers. Some of the key infrastructure might have been affected, however, according to the NHS statements, no health records have been compromised. What has been affected, however, is the current operational capability – preventing the staff from doing their tasks and jeopardising lives. The remaining question is to what extent permanent damage was caused – beyond temporary loss of capability. What is also unknown is also the value of any data held to ransom - which impacts the recovery strategies below: </li>
<li><strong>Recovery Strategy:</strong> UK government agencies are collaborating closely on a response. It is currently unknown whether the most successful strategy would be to restore the NHS system to a safe state, without attempting to recover any data (assuming appropriate backups are made, the impact on a large organisation should be limited, in contrast to an SME whose entire business might be held to ransom). Alternatively, a technical solution might be found to decrypt the files without involving the malware control centres - there are many examples where criminals have made mistakes in the worm design, allowing for data recovery. Finally, the criminals have triggered a state-level response. This might mean expedited investigation, arrests and seizure of the control centres. Such a response could provide a way to recover the data utilizing the records held at such control centres. </li>
</ol>
<h1>What we can infer:</h1>
<ol>
<li><strong>NHS Infrastructure Design:</strong> One common mistake, especially glaring in foreign media, is to describe NHS as a monolithic organisation. This mistake is repeated both by reporters and by businesses, attempting to sell to "The NHS". The reality is that NHS is a network of entities - trusts, GP practices, management bodies, research centres etc. - working under the common goal and plan to provide a comprehensive health service for the nation. Most of these entities operate their own IT departments, under their own policies and plans. NHS is fundamentally decentralised, but operating towards a centralised strategy. In this case, it partially worked to contain the damage – and similar, defense-in-depth solutions can be applied in the future. </li>
<li><strong>Entry point and self-inflicted damage:</strong> It is very difficult to pinpoint the exact means of penetration of the NHS. That said, looking at the timeline of public statements being made during the attack, a substantial portion of the damage to the NHS was self-inflicted. As a result of the attack, which has not been immediately triaged and identified, a wide range of NHS infrastructure was shut down, in order to prevent further damage by the worm. Some of these decisions were likely premature, while others did not take into account the existence of defensive measures. I would be very surprised if any substantial effort will be dedicated to data recovery - NHS should be able to execute business continuity plans and restore operational capacity without the need for advanced response. </li>
</ol>
<h1>What we can predict:</h1>
<ol>
<li><strong>Operational Capability:</strong> There is some speculation that the situation might not be dealt with by Monday. While full operational capacity might never be restored, as the attack might lead to expediting upgrades to the legacy infrastructure, the key components should be relatively easy to restore from relevant backups. As the key databases are unlikely to be affected, the restoration would be a function of monitoring and slowly ramping up capacity, rather than a full restart, the distributed nature of the NHS makes it relatively anti-fragile, even in the light of such an attack. </li>
<li><strong>Strong legislative and investigative response:</strong> The scale of the attack involved responses from National Cyber Security Centre, and all branches of the investigative services. It is of paramount importance, that the legislators, and the public gets as much of accurate information on this attack as possible, to avoid knee-jerk reactions, and increasing the future vulnerability of the UK's infrastructure. </li>
</ol>
<h1>What we can recommend:</h1>
<ol>
<li><strong>Anti-fragile IT:</strong> The saving grace of the NHS was its anti-fragility. Only some of the trusts were affected, only some of the services were impacted, and only some of the infrastructure needs to be repaired. The recent decade of research in cryptography and cyberdefense has given birth to a range of technologies - from distributed ledgers, to some of the more esoteric 'cryptographic data structures', providing information immutability and verifiability. The attack has driven home a strong message - despite the efforts to maintain the perimeter security, once broken, there needs to be a way to ensure strong internal resilience. This is an opportunity for new software vendors to take advantage of the failures of the old guard, and compete for the design of the next generation critical infrastructure IT. </li>
<li><strong>Distributed Digital:</strong> Preventing infrastructure monoculture should become a strategic priority. While more difficult and costly to administer at first, it encourages better systems design. As a result, computer infrastructure can be expected to remain partially operable, rather than subject to a catastrophic failure. </li>
<li><strong>Public Participation:</strong> Cyber-security has the potential to affect everyone - not just the experts fighting the war in the trenches, and the most gullible members of the public who are the typical victims. As we make decisions on the design, security and policies, it is increasingly important that the public gets the best possible awareness of the threats, defences and technologies involved. Otherwise, we run the risk that some of the most important policy decisions are made without public understanding and democratic oversight. </li>
</ol>
<p><em>If you have any questions, comments, or want to have a discussion or commercial engagement, please don't hesitate to reach out.</em></p>